Revelation

Kenneth Albanowski kjahds "at" kjahds.com
Fri, 23 Oct 1998 20:14:35 +0000


On Fri, 23 Oct 1998, Nick Torkington wrote:

> We install VNC on classroom PCs so that it can be used as a teaching aid,
> broadcasting one screen to several students.  We stuff a standard password
> into each student's registry so that we can assist them remotely should they
> require help.
> 
> Even when VNC is executed as a service, students can easily call up the
> properties dialog and then use Revelation to discover this password,
> allowing them to maliciously "take over" other students PCs.
> 
> This has *actually* happened, despite some claims in this forum that it is
> not possible because VNC doesn't work in that way.
> 
> I'd like to continue to use VNC as it has saved us a lot of time over the
> past few weeks, but until this security problem is addressed we're forced to
> withdraw it.

It strikes me that it should be possible to save the "Preferences" dialog
simply by changing it so that it never displays the original password
(even in asterisk'd form), leaving the field blank until a user types in a
new one. (Indeed, I can't think of a good reason to ever pre-load a
password field.) 

However, that points out a basic problem here: the password _is_ available
in the registry, as you point out yourself. If someone can run a "tool"
like Revelation, I see no difficulty with them running regedit, or even
using a debugger to find the password in RAM. I take it your problem is
strictly one of difficulty: it's just too easy to use Revelation to pick
out the password, regedit is difficult enough to not be viewed as a
problem. 

-- 
Kenneth Albanowski (kjahds "at" kjahds.com, CIS: 70705,126)



---------------------------------------------------------------------
The VNC mailing list     -   see http://www.orl.co.uk/vnc/intouch.html
---------------------------------------------------------------------